Testifying on Cybersecurity Legislation

The Senate’s big cybersecurity bill has finally surfaced officially, and the hearing will be tomorrow at 2:30 DC time in front of the Homeland Security and Government Affairs Committee. After Sen. Rockefeller and Sec. Napolitano, I’ll be part of a panel that includes Gov. Tom Ridge, Scott Charney of Microsoft, and Jim Lewis of the Center for Strategic and International Studies.

Here’s the first few pages of my prepared testimony. The rest is up on Skating on Stilts, for those who just have to see my take on how to draft cybersecurity emergency authorities.

Mr. Chairman, Ranking Member Collins, members of the committee, it is an honor to testify before you on such a vitally important topic. I have been concerned with cybersecurity for two decades, both in my private practice and in my public service career, as general counsel to the National Security Agency and, later, to the Robb-Silberman commission that assessed U.S. intelligence capabilities on weapons of mass destruction, and, more recently, as assistant secretary for policy at the Department of Homeland Security. In those two decades, security holes in computer networks have evolved from occasionally interesting intelligence opportunities into a full-fledged counterintelligence crisis. Today, network insecurity is not just an intelligence concern. It could easily cause the United States to lose its next serious military confrontation.

Moore’s Outlaws: The Exponential Growth of the Cybersecurity Threat-

Our vulnerabilities, and their consequences, are growing at an exponential rate. We’ve all heard of Moore’s Law. What we face today, though, are Moore’s outlaws: criminals and spies whose ability to penetrate networks and to cause damage is increasing exponentially thanks to the growing complexity, vulnerability, and ubiquity of insecure networks. If we don’t do something, and soon, we will suffer network failures that dramatically change our lives and futures, both as individuals and as a nation.

It doesn’t take a high security clearance or great technical expertise to understand this threat. It follows from two or three simple facts.

Fact One. Breaking into computer networks to steal secrets has never been easier, despite all the security measures we encounter on those networks.

Why do I say that? Simple. In recent months, we have learned that some of the most security-conscious institutions on the planet have been compromised. HBGary, RSA, Verisign, and DigiNotar are all in the network security business; they understand how to protect secrets on line — if anyone does. But RSA was electronically attacked and its most important business secrets, the keys to its security business, were stolen. HBGary lost control of its CEO’s email correspondence to a group of online vigilantes, and its CEO lost his job as a result. DigiNotar, a Dutch entity that issues online credentials, was compromised by a hacker working with Iranian security forces. Six weeks after the breach became public, DigiNotar was out of business. I think it’s fair to say that these security-conscious companies would have done whatever they could to prevent these disclosures, but they failed. They were unable to secure their networks.

Actually, the same is true for governments. The Defense Department used to say that attacks on its systems had never penetrated the classified networks. Now it has disclosed that this is no longer true. Defense contractors have also been compromised, and with them, the designs for our most recent weapons systems.

That is the first fact: No network, no matter how important its secrets and no matter how security conscious its owner, can be seen as secure in today’s world. Attackers have an excellent chance of breaking in and stealing secrets. And here is the second:

Fact Two. Once the attackers are in, they don’t have to stop at stealing secrets. They can cause severe physical damage just by manipulating the digital systems they have compromised.

When I was at DHS, we demonstrated that hackers could cause a large generator to self-destruct, just by sending the generator commands over the network. More recently, the Stuxnet malware is believed to have crippled Iran’s uranium enrichment efforts for months, simply by infecting the computerized industrial control system responsible for Iran’s centrifuges. That was good news for people who think that Iran’s nuclear program is dangerous. But Stuxnet was also a proof of concept, showing that network flaws can be used to cause massive damage to any machinery that relies on computerized industrial controls.

And what machinery runs on such controls? Pretty much everything necessary to sustain our society: refineries, pipelines, electric power, water, and sewage systems. Worse, the industrial control systems that run these necessities are not really designed with cybersecurity in mind. In fact, there is reason to believe that Windows networks running on the Internet are much more secure than industrial control systems. At a minimum, we can say with confidence that industrial control systems are no better protected than the systems that failed at RSA, Verisign, HBGary, and DigiNotar.

Cyberweapons pose a real threat to the United States. Those two facts lead to a third, common-sense conclusion: Any nation that feels the need to prepare for a military confrontation with the United States has already begun developing cyberweapons. Cyberweapons are especially potent against the United States. That’s because they are deniable; figuring out who has launched a cyberattack will be very difficult, making our other military assets less useful in deterring attacks. Cyberweapons are also asymmetric; they cause more harm in developed nations than in less advanced societies. And perhaps most importantly, such weapons can overturn the American war experience of the last sixty years – that conflicts will be fought far away, at a time and place of our choosing. Any nation expecting a conflict with the American military would be enthusiastic about developing a weapon that can cause massive civilian suffering on our home front before a single shot has been fired on the battle lines.

Now that such a weapon is within their reach, the impact could be unprecedented. We have no experience with losing large parts of our power, refinery, water and sewage systems all at once. The closest we’ve come was New Orleans after Katrina. And there, everyone knew beforehand that the disaster was coming. Preparations had been made, and most people left the city well in advance. They went to places where the infrastructure still worked, while organized military and civilian relief efforts rapidly moved in to help those who remained. Even so, the breakdown in order and the human suffering was extreme.

Thanks to growing cyber insecurity, all Americans now live in a digital New Orleans, with Katrina just offshore. And not one Katrina, but many. Computer exploits that we once thought were the work of large nations such as Russia or China now seem to be within the capability of countries like Iran and North Korea. If I am right that computer insecurity continues to grow worse each year, then the sophistication needed to launch a cyberattack will continue to decline, and soon such attacks will be within the capability of criminal gangs and online vigilantes like Anonymous.

Disaster is not inevitable. We can head this threat off if we treat it seriously. We may have years before suffering an attack of this kind. We do not have decades. We must begin now to protect our critical infrastructure from attack. And so far, we have done little.

…

Another source of resistance comes from advocates who claim that this bill is somehow similar to the Stop Online Piracy Act, or SOPA. If the bill reaches the floor, they threaten, it will meet the same fate as SOPA.

Well, to paraphrase Sen. Bentsen in the 1988 vice-presidential debate, I knew SOPA, I opposed SOPA, and Mr. Chairman, this bill is no SOPA.

I took a very early stand against SOPA, and I’m proud to have played a role in forcing its reconsideration. SOPA was a bad idea because it would have given a little help to one industry while making everyone who uses the Internet much less secure. That criticism of SOPA struck a chord with Americans because we all use the Internet with a nagging fear that our security is at risk. That security concern was at the heart of the early opposition to SOPA. This bill, in a real sense, is the opposite of SOPA. It addresses the entirely justified security concerns of ordinary users.

There is another reason not to heed the advocates who oppose this title. They’re the guys who got us into this fix.